Banks Collaborating to Fight Online Fraud

A feature article on WSJ.com today profiles the initiatives of various banks and financial services firms to act more collaboratively when countering fraud and other malicious activity in cyberspace. A number of investment banks, including Morgan Stanley, Goldman Sachs, and others, will consult with researchers from NYU Polytechnic on the creation of a central fraud detection data center. The article also notes that Bank of America has been hosting quarterly security roundtables with competing firms. Both initiatives are designed to encourage banks to work together to better protect against hackers, whose efforts to shut down electronic operations and steal money or customer data pose a growing concern for the industry. Sony Corp., the Central Intelligence Agency and Citigroup Inc. are just a few of the firms that cyber-rogues have targeted over the past year.

Online attacks have increased sharply over the past two years and financial institutions are among the most likely targets, according to a new survey by PricewaterhouseCoopers LLP, the consulting firm.

While many bank officials agree with the information-sharing in principle, some are concerned that doing so could provide rivals with too much insight into their operations.

At the NYU-Poly meeting, for instance, some bank officials are expected to make the case that banks should scour their own data internally, rather than provide information to outside researchers, people familiar with the matter said.

"The mentality of the banks has been, 'Let's do everything internally because we don't want to give anything away,' " said Peyman Mestchian, a managing partner with Chartis Research in London.

But hackers are forcing banks to abandon that old go-it-alone mindset in favor of a more-inclusive approach, executives said.

"We realized that just as the fraudsters collaborate with each other, we as an industry must collaborate," said Keith Gordon, a Bank of America senior vice president of security.

Additionally, the story mentions that email verification firm eCert has also been munging data provided by a number of banks in effort to stop fraudulent email attacks. The piece also contains a nod to the Financial Services Information Sharing and Analysis Center, and concludes with an anecdote hinting at how far the industry may have come in its willingness to collaborate in less than a decade:

...[I]t is only recently that banks have begun to lift the veil. At an industry conference in 2003, said David Jevans, the founder of IronKey, a security firm based in Sunnyvale, Calif., the chief technology officer of a large bank said "phishing" attacks used by cyber criminals to extract personal information were not a threat.

"I went up to him afterward and said, 'If they are not a threat, why are you spending $2 million on software to protect against them?' " Mr. Jevans recalled. The executive's answer: "We don't want to talk about fraud in front of anyone."